EU AI Act Compliance Checklist – A Practical Guide for Businesses

eu act compliance checklist
5/5 - (1 vote)

Last Updated on June 26, 2026 by Narendra Sahoo

The world’s first binding AI regulation is moving into enforcement. This checklist covers every obligation your organisation must evidence — from AI system inventory and risk classification to Annex IV documentation, human oversight, and post-market monitoring.

2 Aug 2026
Article 50 transparency obligations go live
€35M / 7%
Max penalty for prohibited AI practices
4 Risk Tiers
Prohibited, High-Risk, Limited, Minimal
35.7%
Of managers who feel adequately prepared for EU AI Act

1️⃣ What Is the EU AI Act?

The EU AI Act (Regulation (EU) 2024/1689) is the world’s first comprehensive binding AI regulation. It entered into force on 1 August 2024 and establishes a risk-based framework that classifies AI systems into four tiers — prohibited, high-risk, limited risk, and minimal risk — with escalating obligations and penalties up to €35 million or 7% of global annual turnover.

The Act applies to any organisation that builds, deploys, imports, or distributes AI systems that affect EU persons — regardless of where the organisation is headquartered. If your AI output reaches EU users, you are in scope. This includes organisations based in the US, UK, Singapore, India, and beyond.

An EU AI Act compliance checklist is a structured framework that helps organisations systematically identify, classify, and govern all AI systems within scope of the regulation. It covers AI system inventory, risk classification, conformity assessment requirements, technical documentation (Annex IV), human oversight obligations, GPAI model obligations, and post-market monitoring.

💡 CRITICAL INSIGHT

The organisations most exposed under the EU AI Act are not the ones using the most advanced AI. They are the ones unable to prove operational control. Regulators will not assess intentions. They will assess proof.

Is your AI system EU AI Act compliant?

VISTA InfoSec’s CREST-approved consultants deliver practitioner-led AI governance assessments — built on operational audit experience, not theoretical templates.

Explore EU AI Act Services →

2️⃣ EU AI Act Enforcement Timeline

Understanding when each obligation becomes enforceable is the first step in any EU AI Act compliance programme. Enforcement is phased — missing a date does not mean missing everything, but it does mean accumulating regulatory risk.

Date What Becomes Enforceable Status
1 Aug 2024 EU AI Act enters into force (Regulation (EU) 2024/1689) ✓ In Force
2 Feb 2025 Article 5 prohibited AI practices + AI literacy obligations (Article 4) enforceable ✓ Enforced
2 Aug 2025 GPAI model obligations (Articles 51–55) apply; governance rules and AI Office fully operational ✓ Enforced
2 Aug 2026 Article 50 transparency obligations for chatbots, deepfakes and AI-generated media go live ⚠ Imminent
2 Dec 2027 Full Annex III high-risk obligations (Articles 9–15, 17, 43, 26–27) — subject to AI Omnibus adoption Upcoming
2 Aug 2028 High-risk AI systems embedded into regulated products (Annex I — medical devices, machinery, vehicles) Upcoming

3️⃣ Step 1 — AI System Inventory and Risk Classification

The first step in your EU AI Act compliance programme is correctly classifying your AI system. This determines market access, governance obligations, and potential penalties. A misclassification can significantly increase compliance requirements.

More than half of organisations have not established systematic inventories of the AI systems they operate — the minimum prerequisite for any compliance programme. You cannot classify what you cannot see.

Risk Tier Examples Key Obligation
Prohibited (Article 5) Social scoring, subliminal manipulation, real-time biometric surveillance, emotion recognition in workplaces/schools Cannot deploy in EU. Banned since 2 Feb 2025.
High-Risk (Annex III) CV screening, credit scoring, medical diagnosis, student assessment, law enforcement, critical infrastructure AI Full conformity assessment, Annex IV docs, EU database registration
Limited Risk Chatbots, customer support AI, content generation, deepfakes, synthetic media Transparency — users must know they are interacting with AI
Minimal Risk Spam filters, recommendation engines, AI-enabled games, inventory management No specific AI Act obligations (voluntary code of conduct)

👉 Sectors Most Commonly Misclassified as Lower Risk

An HR screening tool may appear to be limited risk but qualifies as Annex III high-risk because it affects employment decisions. Common misclassification areas:

✓  Healthcare — Clinical decision support, diagnostic AI, patient triage and prioritisation tools
✓  HR and Recruitment — CV screening, candidate scoring, employee performance monitoring, work allocation tools
✓  Financial Services — Credit scoring, insurance risk assessment, fraud detection affecting individual EU persons
✓  Education Technology — Student assessment tools, adaptive learning systems, examination proctoring AI
✓  Public Sector — Any AI affecting access to benefits, services, or critical infrastructure decisions

✅ STEP 1 CHECKLIST — AI INVENTORY & CLASSIFICATION
□  Compile a complete inventory of all AI systems in operation (internal and vendor-supplied)
□  Identify your legal role for each system: provider (built/placed on market) or deployer (uses it operationally)
□  Assign a documented risk classification (prohibited / high-risk / limited / minimal) with written rationale
□  Check all Annex III sectors for potential high-risk classification — do not assume lower risk
□  Verify no AI systems fall under Article 5 prohibited practices — if so, immediate action required
□  Schedule inventory review at least quarterly and whenever new AI tools are procured

Not sure how to classify your AI systems?

VISTA InfoSec conducts AI system inventories and delivers written risk classification rationale aligned to Annex III — ready for regulatory scrutiny.

Book an AI Classification Assessment →

4️⃣ Step 2 — Provider vs Deployer Obligations

The EU AI Act structures obligations around your legal role — not your job title. Getting this wrong is one of the most common compliance gaps.

🛠 PROVIDER

Develops or places an AI system on the EU market under your name or trademark — paid or free. Heaviest obligation set.

✓  Risk management system (Article 9)
✓  Data governance and logging (Articles 10, 12)
✓  Annex IV technical documentation (Article 11)
✓  Human oversight design (Article 14)
✓  Accuracy, robustness, cybersecurity (Article 15)
✓  Conformity assessment + CE marking (Article 43)
✓  EU AI database registration before deployment
✓  Quality management system (Article 17)
✓  Post-market monitoring (Article 72)

📋 DEPLOYER

Uses a high-risk AI system in operations. Independent obligations under Article 26 — a vendor’s certification does not protect you.

✓  Use system per provider’s instructions
✓  Implement and document human oversight
✓  Retain operational logs for minimum 6 months
✓  Monitor system operation and report incidents
✓  Conduct Fundamental Rights Impact Assessment (Article 27) where required
✓  Inform employees about workplace AI deployment
✓  Ensure input data quality and relevance
✓  Maintain AI literacy for all oversight staff (Article 4)
⚠ IMPORTANT WARNING

Many organisations assume their vendor’s certification protects them. It does not. Under Article 26, deployers hold independent obligations separate from providers. Regulators can demand evidence of oversight, logging, governance, and lawful operational use regardless of vendor certification status. A conformity assessment proves the provider built the system correctly. It does not prove your organisation operates lawfully.

5️⃣ Step 3 — High-Risk AI System Compliance Checklist

For organisations operating Annex III high-risk AI systems, the following obligations must be evidenced. The hardest requirements are operational rather than paperwork-driven — much of the burden falls on ongoing risk controls, traceable audit trails, human review, security safeguards, and maintained technical records.

👉 3A — Risk Management System (Article 9)

□  Establish a continuous, iterative risk management process covering the full AI system lifecycle
□  Identify and analyse known and reasonably foreseeable risks to health, safety, and fundamental rights
□  Estimate and evaluate identified risks with documented mitigation measures
□  Confirm residual risks are acceptable; establish feedback loops from deployment back into risk evaluation

👉 3B — Data Governance and Logging (Articles 10 & 12)

□  Implement data governance practices covering training, validation, and testing datasets
□  Ensure data is relevant, representative, accurate, and free from bias where technically feasible
□  Implement automatic logging capabilities to enable traceability of AI outputs
□  As deployer: retain operational logs for a minimum of 6 months (Article 26)

👉 3C — Annex IV Technical Documentation (Article 11)

□  Draw up Annex IV technical documentation before market placement — not after
□  Include: general description of the system, intended purpose, system architecture, design logic
□  Include: training methodologies, datasets used, validation and testing procedures, performance metrics
□  Include: known limitations, risks, and the measures taken to mitigate them
□  Maintain documentation throughout the system lifecycle — update for any substantial modification

“When enforcement begins, regulators will not assess intentions. They will assess proof.”

Need help building your Annex IV documentation?

VISTA InfoSec builds EU AI Act technical documentation packages that are audit-ready from day one — covering risk management, data governance, human oversight, and conformity assessment evidence.

Get Expert Support →

👉 3D — Human Oversight (Article 14)

□  Implement and document human oversight procedures for every high-risk AI system in operation
□  Assign designated oversight personnel before deployment — with documented competence, training, and authority
□  Ensure oversight personnel can understand AI outputs and intervene or override where necessary
□  Document the oversight mechanism in the technical file and operational procedures

👉 3E — Accuracy, Robustness and Cybersecurity (Article 15)

□  Define relevant accuracy metrics and test systems against identified risks throughout their lifecycle
□  Implement cybersecurity measures addressing AI-specific threats: data poisoning, model evasion, adversarial attacks
□  Specify accuracy levels in accompanying technical documentation
□  Assess confidentiality attacks and model flaws; document mitigation controls

👉 3F — Fundamental Rights Impact Assessment — FRIA (Article 27)

□  Conduct a FRIA before deploying high-risk AI systems affecting vulnerable groups or public services
□  Document the assessment and retain it as evidence — regulators can request it
□  Update the FRIA whenever the intended purpose or operating context materially changes

6️⃣ Step 4 — General-Purpose AI (GPAI) Model Obligations

GPAI model obligations (Articles 51–55) have applied since 2 August 2025. These apply to foundation models and large language models placed on the EU market — including models like GPT, Claude, Gemini, Llama, and Mistral, and importantly to organisations that build applications using these models as a base.

✅ STEP 4 CHECKLIST — GPAI OBLIGATIONS
□  Maintain technical documentation for the EU AI Office covering model architecture and training procedures
□  Publish a sufficiently detailed summary of training content (training data transparency)
□  Implement copyright compliance policies respecting EU copyright law and rights reservations
□  Furnish technical information to downstream providers building on your model
□  For systemic-risk models (>10²⁵ FLOPs): conduct adversarial testing, report serious incidents to AI Office
□  Consider signing the GPAI Code of Practice for a presumption of conformity — voluntary but strongly recommended

7️⃣ Step 5 — Transparency Obligations (Article 50) — Deadline: 2 Aug 2026

Article 50 transparency obligations apply to chatbots, AI-generated media, emotion recognition, and biometric categorisation systems — regardless of their risk classification. These become enforceable on 2 August 2026.

✅ STEP 5 CHECKLIST — TRANSPARENCY
□  Ensure all chatbots and conversational AI clearly disclose at the start of every interaction that users are communicating with an AI system
□  Apply machine-readable labelling to all AI-generated audio, image, video, and text content
□  Disclose the use of emotion recognition or biometric categorisation systems to affected persons
□  Implement AI literacy training for all staff involved in AI oversight or operation (Article 4 — already enforceable)

Article 50 enforcement starts 2 August 2026 — are your chatbots and AI outputs compliant?

VISTA InfoSec reviews your AI interfaces, labelling practices, and transparency disclosures against Article 50 requirements — before enforcement begins.

Book an Article 50 Review →

8️⃣ Step 6 — Conformity Assessment and EU Database Registration

High-risk AI systems must undergo a conformity assessment and be registered in the EU’s public AI database before deployment. The conformity assessment proves the provider built the system correctly — but as noted, it does not discharge the deployer’s independent obligations.

✅ STEP 6 CHECKLIST — CONFORMITY & REGISTRATION
□  Complete internal conformity assessment (Annex VI) or third-party assessment (Annex VII) as required
□  Affix CE marking and draw up EU declaration of conformity before market placement
□  Register the high-risk AI system in the EU AI public database prior to deployment
□  Re-assess conformity following any substantial modification to the system

9️⃣ Step 7 — Post-Market Monitoring and Incident Reporting

EU AI Act compliance is not a one-time project. Post-market monitoring (Article 72) and serious incident reporting (Article 73) mean that obligations continue throughout the operational life of the AI system. Organisations that treat compliance as a deployment checklist will fail.

✅ STEP 7 CHECKLIST — POST-MARKET & INCIDENTS
□  Implement a post-market monitoring system to actively collect, document, and analyse performance data throughout the AI lifecycle
□  Establish a process for reporting serious incidents and malfunctioning to national competent authorities
□  Implement corrective actions (Article 20) where post-market monitoring identifies risks or non-conformity
□  Feed post-market findings back into the risk management system — this loop is itself a compliance requirement

10️⃣ SMEs and Startups — What the Proportionality Provisions Mean

The EU AI Act includes specific proportionality provisions for SMEs and startups under Article 55. Regulatory sandboxes and simplified conformity assessment pathways are available. However, proportionality does not mean exemption.

✓  SMEs are not exempt from high-risk AI obligations — proportionality applies to administrative burden, not to safety requirements
✓  National competent authorities must provide SMEs with dedicated guidance, support, and sandbox access
✓  Reduced fees apply to SMEs in certain conformity assessment procedures
✓  SMEs with existing ISO 27001 or SOC 2 controls can significantly reduce compliance cost through control mapping — these frameworks address many overlapping obligations

How exposed is your organisation to EU AI Act enforcement?

VISTA InfoSec delivers a structured EU AI Act readiness assessment — covering AI inventory, classification, provider/deployer obligations, and documentation gaps — with a prioritised compliance roadmap.

Explore EU AI Act Services → Book Free Consultation

Frequently Asked Questions

Does the EU AI Act apply to organisations outside the EU?
Yes. The territorial scope is broad and functional, not geographical. Any organisation whose AI system is placed on the EU market, put into service in the EU, or whose output affects EU persons is in scope — regardless of where the organisation is headquartered. This includes organisations based in the US, UK, Singapore, India, and elsewhere. Location provides no safe harbour.
What is the difference between a provider and a deployer under the EU AI Act?
A provider develops or places an AI system on the EU market under their name or trademark. A deployer uses a high-risk AI system in their operations. Critically, both roles carry independent obligations — a deployer cannot discharge their Article 26 responsibilities simply by relying on the provider’s conformity assessment. If you use any AI tool for decisions that affect people (hiring, credit, access to services), you are a deployer with regulatory obligations regardless of whether you built the system yourself.
When do the main high-risk AI obligations take effect?
Following the EU AI Act Omnibus (provisional political agreement, 7 May 2026), Annex III high-risk system obligations have been deferred to 2 December 2027, pending formal Omnibus adoption. However, Article 5 prohibited practices are already enforceable (since 2 February 2025), GPAI obligations apply since 2 August 2025, and Article 50 transparency obligations take effect 2 August 2026. Organisations should not interpret the Annex III deferral as a reason to delay preparation — the preparation time required is substantial.
What are the penalties for violating the EU AI Act?
Penalties are tiered by violation severity: up to €35 million or 7% of global annual turnover for Article 5 prohibited practices; €15 million or 3% for high-risk system violations (Articles 9–17); and €7.5 million or 1% for providing incorrect information to authorities. These figures exceed GDPR’s maximum penalties — making the EU AI Act one of the most financially consequential compliance obligations currently facing organisations that deploy AI.
We already have ISO 27001. How much of the EU AI Act does that cover?
ISO 27001 addresses many foundational controls that overlap with EU AI Act obligations — including risk management, access control, incident response, and governance. However, the EU AI Act introduces AI-specific requirements that go significantly beyond ISO 27001’s scope: Annex IV technical documentation, AI-specific risk classification rationale, human oversight design, FRIA, EU AI database registration, GPAI obligations, and Article 50 transparency requirements. Organisations with ISO 27001 have a head start, but substantial AI-specific work remains.

VISTA InfoSec • CREST-Approved EU AI Act Consultants

Build Your EU AI Act Compliance Programme

From AI system inventory and risk classification to Annex IV documentation and post-market monitoring — VISTA InfoSec’s certified practitioners guide you from readiness to evidence.

 

Explore EU AI Act Services → Book Free Consultation